You'd struggle to argue that this year's budget cuts to funding for CSIRO and universities are going to give Australia any kind of advantage in science. It seems that anti-science agenda could also have a direct impact on our ability to deal with online attacks.
Security picture from Shutterstock
Here's how the story goes. At a Cisco-hosted press and analyst panel on cyber-security issues this morning, the question of how businesses could cope with the shortage of staff skilled in IT security came up. One of the most interesting answers came from Gary Blair, adjunct professor of the Edith Cowan University Security Research Institute.
As well as being an International Fellow of the International Cyber Policy Centre at the Australian International Policy Institute, Blair has worked as chief information security officer at three of the big four banks (Commonwealth, Westpac and NAB). (I mention this to circumvent anyone arguing that academics in glass towers have no idea how the real world operates. That's generally a lazy knee-jerk criticism, but in Blair's case it would be a patently ridiculous one.)
Blair explained that in recent years, there had been a concerted effort to establish a cyber-security-focused Co-Operative Research Centre (CRC) in Australia. The CRC scheme, which dates back to 1990, is designed to encourage research collaboration between universities and the private sector, providing funding for topic-specific research operations. CRC schemes receive government funding and help facilitate PhD-level research, as well as creating commercial opportunities.
The application for a cyber-CRC in the 16th funding round wasn't successful, but the applicants were told that it had promise and to apply again in the subsequent round, Blair said. Unfortunately, the 17th round never came, because CRC funding was cut by $80 million over the forward estimates period in the most recent Federal budget. The entire program is being reviewed (a process that won't be finished until March next year), and applications have been suspended in the meantime.
"One of the things about the CRC is it was going to produce 40 PhDs in cyber-security that this country desperately needs," Blair said. Basic IT training is not enough to deal with modern IT security issues, he argued. "The types of things we're dealing with are complex. We do need people who have STEM [science, technology, engineering and maths] education, and we need them to build skills in this area."
To make that project sustainable, we can't just service local IT security needs, Blair said. "We have to have a surfeit of capacity and export it. If we only ever have enough for our own needs, it won't be enough."
Rather than waiting to see if the CRC concept survives (which frankly seems unlikely), Blair said that there was a new plan in place: the Australian Cyber-Security Research Institute, which is due to be announced later this year if plans go well. The downside of an independent approach is no government funding and no certainty, but Blair was keen to talk up the positives: "The good news is we no longer have some of the constraints of the CRC structure, so we are going to invite other researchers in as well." (CRC partners can't be changed without approval from the regulating department.)
I don't want to pretend the CRC would have been an automatic panacea for IT security problems. Even if CRC funding had remained in place, the proposed massive hike in university costs for doctoral students might have put off potential candidates. But the next time you hear a member of the government bleating about the importance of cyber-security awareness, ask them why they didn't put their money where their mouth is in a meaningful, long-term way.